Access control is the restriction of unauthorised access to a portion of a computer system or the entire system.
a) Explain the following control techniques and their significance in the context of data security.
i) Biometric control
iii) Logical access
Application controls can be classified into three major categories, processing controls and output controls.
b) Describe the objective of each control and examine the techniques within each to ensure maintenance of maximum feasible levels of control.
a) Control techniques and their significance in the context of data security.
i) Biometrics control
These are controls that involve a high level of technology wherethe system identifies a user recognising his biological characteristics. The most commonly available systems are voice
recognition systems which are able to recognise the user‘s voice and thus allow him access to the system. Also, biometrics systems are available which are able to recognise a user‘s eyes.
A system user needs only to focus his or her eyes before abeam of light which is displayed the system input machine which then sends signals to the processor the user authentication.
This form of control is important to data security that: –
1. It is accurate and cannot be forged unauthorised users.
2. It is a fast way since keying of data is required.
This is a control technique which involves scrambling the data at one end of the line, transmitting the scrambled data and unscrambling it at the at the receiver‘s end of the line. Scrambling refers to transformation of data into codes and characters that cannot be read an ordinary person. Data encryption is a way of preventing electronic eavesdropping or wire- tapping.
Encryption ensures data integrity which means that data is preserved in the same status as in the source document and has not been accidentally or incidentally destroyed or disclosed.
It also ensures privacy over data is maintained and individuals are assured of the control and use of their own information.
iii) Logical access
This refers to controlling those who have access to the terminal of a computer from gaining access to the data of a software. They are also known as data controls. They ensure that:
– Data is collected in full and with accuracy – Data is held up to date
– Data is processed in the right way to produce the required report. – Reports are generated at the required time.
Some examples of logical access controls include:
1. Password: – This is a set of characters, which may be allocated to a person, terminal, or facility and which must be keyed in before access is permitted. It is used to identify the user and check the user authority.
2. Personal identification numbers (PIN). This refers to a set of characters which mustbe keyed in to the system to allow further access to the system. They are allocated to each individual user of the system.
b) Objectives of application controls and the techniques within each to ensure maintenance of maximum feasible levels of control
1. Input controls
These controls ensure that there has been a complete and accurate conversion of data from the source document to the input media. The checking needs to detect missing data or incorrect digits or nay type of deviation in the entry.
Input techniques include:
i) Transaction codes: – In any organisation, data represents people, events, assets objects etc. and so codes can be allocated to each transaction document, field record or file.
ii) Form design: – When a source document is required for the collection of data, this form can be designed to force more legible entries the use of individual blocks for each character to be recorded.
iii) Verification: – Source documents prepared the clerk can be verified or proof-read another to improve accuracy. In a data conversion operation such as keypunching or keyboard to storage, a second operator can verify each document.
iv) Control totals: – To minimise loss of data when it is being transported from one location to another or to check on the results of different processes control totals are prepared for specific batches of data.
v) Check digits: – This control technique ensures maintenance of feasible levels of control through ensuring: –
a) That only data essential for the purpose of the system should be collected.
b) Only persons specifically authorised to have access to the data should do so and their use of the data must conform to that of the agreed system.
c) Strong security measures are applied to minimise the risks that the data is accidentally or deliberately distorted or revealed.
2. Processing controls
These are procedures incorporated into the program to ensure that there is complete and accurate processing of the data that has been entered into the system.
Processing control techniques include:
i) The edit run: – This consists of a series of checks e.g. programmed checks which would include records counts control totals, hash totals, numerical fields, alphabetic data in alphabetic fields.
ii) Limit checks and overflow tests: – These perform arithmetical accuracy.
iii) Other checks to ensure that correct files are being processed reference to external
labels, internal labels and volume labels. Feasible levels of control are achieved through:
i) Ensuring that only beneficial systems are developed.
ii) Ensuring that suitable operational and administrative controls are built into systems design.
3. Out put controls
These are controls established as final checks on the accuracy and completeness of the processed information. The following control procedures are related to output controls.
i) An initial screening should be conducted to detect obvious errors.
ii) Output should be immediately rooted to a controlled area and distributed any authorised persons to authorised person.
iii) Output control totals should be reconciled to input control totals to ensure that no data have been changed, lost or added during processing or transmission, e.g. the number of input records divided for processing should equal the number of records processed.
iv) Any highly sensitive output that should not be accessible computer centre should be generated via an output device in a secure location away from the computer room.
v) Control errors and exception reporting would also be art of output controls. These controls should specify how exceptions and errors should be handled.
The objectives of these controls to ensure feasible control levels are:
a) To ensure that output is guarded against distribution to the wrong persons or unauthorised access thus data security is improved.
b) To safeguard data privacy whole disclosure may be costly to the organisation, for example, business secrets.